WASHINGTON -- The Internal Revenue Service (IRS) should take steps to limit employee
access to sensitive information about taxpayer bankruptcy petitions, a new report from the
Treasury Inspector General for Tax Administration (TIGTA) concludes.

The IRS is notified of bankruptcy cases because taxpayers are required to list their creditors and
liabilities when filing for bankruptcy protection. The IRS inputs the taxpayers’ sensitive
information into its Automated Insolvency System (AIS) to track the legal requirements for
dealing with the taxpayers and to protect the Government’s financial interests.

At the IRS’s request, TIGTA reviewed whether the IRS sufficiently limits employee access to
protect taxpayers’ personal data and to ensure that the Government’s interest is protected when
taxpayers file for bankruptcy.

Although some AIS access controls are in place, such as the automatic lockout control and
password complexity settings, TIGTA found that other required access controls have not been
implemented or are not operating effectively.

TIGTA found many IRS employees have excessive privileges on the AIS. Managers did not
ensure duties were adequately segregated among employees to prevent and detect unauthorized
activities. Also, AIS’s inadequate access control scheme caused managers to inadvertently grant
unneeded, excessive privileges to employees.

Additionally, TIGTA found that some significant actions taken by employees on taxpayers’
bankruptcy cases are not logged. This prevents managers from determining which employee
changed a taxpayer’s bankruptcy case or the IRS’s Proof of Claim and what changes were made.

“While TIGTA did not find errors or indications of fraud during its review, excessive employee
privileges on the AIS increase the risks that errors, fraud, or unauthorized activities could be
performed by employees acting alone or in collusion with others,” said J. Russell George, the
Treasury Inspector General for Tax Administration.

TIGTA made six recommendations to the IRS to limit access to the AIS to only those employees
with a business need.

The IRS agreed with the recommendations and is taking corrective actions.